Professional Documents
Culture Documents
Stealing and Exploitation
Stealing and Exploitation
Form grabbing
Man-in-the-middle attacks
DLL Injection
Browser helper objects
Form Grabbing
Malicious technique that tries to steal authorization credentials from a web data form
before it is passed to a secure server via encrypted protocol.
A form grabber is a type of malware that captures data such as IDs and passwords from
browser forms.
The target of a form grabber is the user’s Internet banking information. Form grabbers
typically gain access as a Trojan horse.
Once running on a host machine, a form grabber detects Internet banking login
information as it is being entered into a form, along with other identifying information
that will help the software masquerade as a customer.
The form grabber often stores the stolen information for easy access and also sends it
back to a parent server, where it may be added to a database. The information may be
used immediately for banking fraud or sold to other parties.
A form grabber may be a component of a more complex piece of malware such as Hand
of Thief. Internet banking crime ware is one of the largest and fastest-growing types of
malware threats. Such malware affects most common operating systems (OS) and Web
browsers.
The method was invented in 2003 by the developer of a variant of a trojan horse called
Downloader. Barbew, which attempts to download Backdoor. Barbew from the Internet
and bring it over to the local system for execution. However, it was not popularized as a
well-known type of malware attack until the emergence of the infamous banking trojan
Zeus in 2007.
Form grabbers not only solve problems caused by typos, and copy and paste, but also
capture the names of the variables that the Web page uses to define the data.
The form grabber captured each of the variables individually, including the variables named pass and e-mail,
which require little analysis to determine that these are the user’s credentials. Additionally, the form grabber
captured the URL for which the data was destined and the title of the page to correlate the user’s credentials with
the appropriate website. These abilities make form grabbers superior to key loggers, and as such, they have
become the dominant form of credential
theft for modern malicious code. Key loggers remain the best choice for capturing data not entered into Web
forms, such as system logon passwords, since this information does not pass through form-grab-bing code. To
grab forms, a Trojan places itself between the Web browser and the networking stack, where valuable
information passes through encryption functions before transmission.
Man-in-the-middle attacks
Reflective DLL loading refers to loading a DLL from memory rather than from disk
Browser Helper Objects
A Browser Helper Object (BHO) is a DLL that loads every time Microsoft Internet Explorer
runs. Typically, a BHO is installed by a third party program to enhance the functionality of
the web browser (many Internet Explorer plugins, for example, are BHOs). BHOs can be
installed silently, or can be installed ‘quietly’ (many users fail to read the small print that
comes with the EULA (End User License Agreement) displayed by the freeware program).
Also, because they’re programs, they can do anything that other programs can do. On top of
this, there’s no easy way to list the BHOs installed on the PC. As a result, BHO functionality
can be misused (to install adware or track browsing habits, for example).
Adware displays advertising content, often in a manner or context that may be unexpected
and unwanted by users. Adware programs often create unwanted effects on a system like
displaying pop-up advertisements and, in some instances, the lowering of either network
connection or system performance. Some adware can also collect the system's browsing
information (e.g. sites visited) and send the information to a remote server on the Internet.
The gathered information is used by a remote Web site or user for marketing purposes.
Browser Helper Objects (BHO) are plugins to the user's Web browser that may monitor or
manipulate Web surfing. In some cases the Browser Helper Object is a toolbar (BHOT).
Defense and Analysis Techniques
Volatile data is the data stored in temporary memory on a computer while it is running.
When a computer is powered off, volatile data is lost almost immediately.
A memory dump (also known as a core dump or system dump) is a snapshot capture of
computer memory data from a specific instant. A memory dump can contain valuable
forensics data about the state of the system before an incident such as a crash or security
compromise. Memory dumps contain RAM data that can be used to identify the cause of an
incident and other key details about what happened.
Memory forensics is useful when analyzing criminal activity such as hackers or insider
threats. Through the practice of memory forensics, experts are supplied with runtime system
activity, such as open network connections or recently executed commands &processes.
Before programs are executed on the computer, they are loaded into the memory making the
use of memory forensics of high importance. Each program or data which is created,
examined, or deleted is stored in the RAM. This includes images, all web-browsing activity,
encryption keys, network connections, or injected code fragments. In many instances, certain
artifacts can only be found in the RAM, such as open network connections present during the
time of the crash. Attackers can develop malware which only resides in the memory, rather
than the disk, making it virtually invisible to standard computer forensic methods. This
makes the need of memory forensics tools in high demand.
The common methods of firewalls and anti-virus tools do not have the ability to detect
malware or critical data through the RAM. The best and complex tools have the ability to
identify malware, rootkits, and zero days in the RAM.
Without the use of memory forensics, experts will be unable to collect all the pieces of
evidence. It is important for all experts to take training exercises so they don’t leave the
important evidence behind. The importance of memory forensics cannot be stressed enough,
especially when collecting evidence in an attack and finding the attacker. The examination of
volatile data found only in the RAM, offers insight to experts they would otherwise not have.
Many open source projects include memory forensics tools.
This is useful because of the way in which processes, files and programs are run in memory,
and once a snapshot has been captured, many important facts can be ascertained by the
investigator, such as:
Processes running
Executable files that are running
Open ports, IP addresses and other networking information
Users that are logged into the system, and from where
Files that are open and by whom